From owner-freebsd-security@FreeBSD.ORG  Thu Sep 20 23:29:48 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: by hub.freebsd.org (Postfix, from userid 664)
	id 365351065672; Thu, 20 Sep 2012 23:29:48 +0000 (UTC)
Date: Thu, 20 Sep 2012 16:29:47 -0700
From: David O'Brien <obrien@FreeBSD.org>
To: Jonathan Anderson <jonathan@FreeBSD.org>
Message-ID: <20120920232947.GA40126@dragon.NUXI.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<A8FD98DD94774D00B4E5F78D3174C1B4@gmail.com>
	<20120919192923.GA1416@garage.freebsd.pl>
	<20120919205331.GE1416@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<269BF2927F4A4BB5B0F4A4155F2294A6@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <269BF2927F4A4BB5B0F4A4155F2294A6@FreeBSD.org>
X-Operating-System: FreeBSD 10.0-CURRENT
X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger?
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: freebsd-security@FreeBSD.org, RW <rwmaillists@googlemail.com>,
	Mariusz Gromada <mariusz.gromada@gmail.com>,
	Pawel Jakub Dawidek <pjd@FreeBSD.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: obrien@freebsd.org
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 23:29:48 -0000

On Thu, Sep 20, 2012 at 11:32:53AM +0100, Jonathan Anderson wrote:
> As I believe theraven@ pointed out a couple of days ago: it is very
> silly indeed that we are taking data generated by the kernel (process
...

I thought I had mentioned something like this in the rc.d thread, 
but it seems it was to an internal $WORK thread.

It would seem to me that adding a 'initialize_devrandom_seeding' sysctl
for use in 'initrandom' or the single-user user could be better than
running userland commands (sysctl, dmesg, kenv) or being restricted to
commands in /[s]bin where there are some interesting ones in /usr/bin
that aren't available to 'initrandom'.

This would allow us to specify >0 bits entropy from this data.

-- 
-- David  (obrien@FreeBSD.org)